Preparations are well under way at the Health Center
for a new federal law designed to protect patients'
private health information.

The new law, the Health Insurance Portability and
Accountability Act of 1996, sets several new
standards for health care providers that will:

give patients more control over their health
records;

set boundaries on the use and release of health
records;

require health care providers to protect the
privacy and security of health information;

set standards for billing and claims
transmissions; and

provide for civil and criminal penalties for
violations of patients' privacy rights.

As the Health Center moves to comply with the new
law, many of its business practices will be
affected, from the way medical records are written
and stored, to the way bills are sent out and
patient information shared, whether in writing,
electronically, or in conversation.

"We are reviewing all our computer applications to
see what needs to be done to make them conform with
the new law," says Robert Brandner, assistant vice
president for information technology, who heads the
Health Center's HIPAA program. "And we are working
with all our vendors to make sure they have taken
appropriate steps to comply with the law."

Under HIPAA's privacy standard, health care
providers can share private medical information for
treatment, payment, or health operations purposes,
but they must secure that patient information from
those who don't need it.

The law includes considerable penalties for
violations - up to $25,000 per year per HIPAA
standard.

"Fortunately, the Health Center has always given
high priority to confidentiality of patient
information," says Iris Mauriello, the Health
Center's compliance officer. "The new law, however,
requires us to take additional steps to safeguard
information and to monitor our efforts on an
ongoing basis."

The Health Center must now develop and post its
privacy procedures so patients are aware of them.
And it has to train all its employees so they
understand the new procedures.

"Initially, there was some concern that hospitals
would have to build sound-proof rooms and encrypt
all their communication systems so health
information couldn't be overheard," says Mauriello.
"Clarifications to the federal regulations have
made it clear that kind of retrofitting isn't
required. It does, however, require us to take
reasonable safeguards to avoid disclosing private
information. That could mean shielding a computer
in a treatment area, or using cubicles or shields
in large treatment areas to allow some privacy for
patient-staff communications."

The Health Center has established a project office
under Brandner. "We are working with other health
care providers and payers around the country to
make sure our practices are in step with others
throughout the industry," he says.

The law gives health care providers time to comply,
with the first deadline in October 2002. Says
Brandner, "I feel confident that we're in pretty
good shape."